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1 (U) Overview 

(S) DarkSeaSkiesv2.0 is a tool designed for the Macbook Air that is delivered via a supply 
chain intercept or a gift to the target. There are three components that make up 
DarkSeaSkies. DarkSeaSkies is loaded onto the target MacBook Air via booting to a 
thumb drive. The first component of DarkSeaSkies is DarkMatter which is the application 
runs on the EFI of the Macbook Air. DarkMatter is responsible for loading SeaPea into 
memory so that Nightskies, which is the payload, will run. 

2 (U) Purpose of Document 

(S) This document defines the test steps and test procedures necessary to evaluate and 
establish a level of quality and operational fitness for the DarkSeaSkies tool. This 
document records the results of the tests and identifies risks. If test results are satisfactory 
and the risks accepted, the test process verified in this document helps assure the 
successful performance of the IOC mission. 

3 (U) Reference Documents 

• IMIS Requirement 2009-0247 (S) 


4 (U) Requirements 


(S) The following requirements are pulled from IMIS Requirement 2009-0270. This is 
not the full list of requirements, but only the requirements that are relevant to IV&V 
testing. 


Num 

Requirement 

Source 

Ref 

Note 

1. 

Nightskies shall support the Macbook Air using 

Mac OSX 10.5.x, current version. 

2009-0247 

l.d.ii.l 


2. 

Nightskies shall be compatible with DarkMatter 
persistence and kernel patching tool. 

2009-0247 

l.d.ii.2 


3. 

DarkMatter shall have the capability to disable 
itself after a configurable amount of time. 

2009-0247 

l.d.ii.3 


4. 

DarkMatter shall have the capability of removing 
its payload from the EFI of the Macbook Air. 

2009-0247 

l.d.ii.4 


5. 

Nightskies shall be compatible with SeaPea rootkit. 

2009-0247 

l.d.ii.5 


6. 

Nightskies shall support the following implant 
features: 

a. Beaconing to a listening post (LP). 

b. Command receipt and execution from a LP. 

c. File transfer to and from the LP. 

d. Program file execution on the Macbook. 

e. Delay after browser starts to beacon. 

2009-0247 

l.d.ii.6 

l.d.ii.6.a 
l.d.ii.6.b 
l.d.ii.6. c 
l.d.ii.6. d 
l.d.ii.6. e 
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5 (U) Approach 

(U) The Independent Verification and Validation (IV&V) team will obtain requirements 
from the developer and, where gaps exist, will identify additional tests. The requirements 
will be validated through functional testing that executes part or all of the system to 
determine if the requirement has been satisfied. Each requirement will be specifically 
addressed in a detailed test procedure. Functional and performance testing will determine 
if the client component operates as expected. 


6 (U) Test Environment 

(S) The test environment consists of one Listening Post (LP), and one Macbook Air 
running OSX Leopard 10.5.2 through 10.5.6. Each of the steps listed below were 
performed on each version of OSX 10.5.2 through 10.5.6 but will only be listed once for 
brevity. 


7 (U) Test Procedures 

7.1 (S) Test 1 - Verifying DarkSeaSkies compatibility 

(U) This test procedure tests requirement 1, 2, and 5. 

(S) Setup steps: 

*Note: The Macbook Air out of the box will be running Mac OSX 10.5.2 (Leopard). 

1. Insert the USB thumb drive with the DarkSeaSkies tool with the configuration 
to be used for the operation. For testing purposes ensure that you have copied 
all of the .guid and .name files that were created with the executable to the 
thumb drive. This will allow the test script to know what the uniquely named 
files in memory are. 

2. Power up the Macbook while holding the “option” key in order to be offered 
the option to boot to the thumb drive. This step takes about 23 seconds. 

3. Select the thumb drive and you will see “ : “. Within about 6 seconds you 
should see “ :) “ and then the Macbook will power off. At this time 
DarkSeaSkies should be installed. 

4. Power up the Macbook and run through the wizard to setup the Macbook for 
the first time. While you are going through the setup you need to ensure that 
you set the clock to the current date and time. 

5. Disable the wireless card and the Bluetooth card. 

6. Because the tool is looking for the real LP (banner.ads.biz) I added a line in the 
/etc/hosts file to point it to 10.2.4.108 which is where the testing LP is located. 

*Note: Since the tool is completely invisible to the operating system we will need to 
download a test suite from the UDB Wiki. This test suite will allow us to see some of 
the tasks, functionality, and processes of DarkSeaSkies. 
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5. Download the test suite (testSuite vl.l) from the DarkMatter page of the ETDB 
Wiki site and unpack it. 


(S) Testing steps 


Step 

Action 

Expected Result 

Req 

1 . 

Run DM_GenericTest.sh (test script) test script 
to validate that the tool has not been installed. 

DarkSeaSkies should not be installed 
even though it is loaded to the EFI 
because the activation date has not 
been reached. 

1, 2. 

5 

2. 

Advance the clock to a date after 3/22/2009 
which is the activation date and then reboot the 
machine. 

After the reboot the tool will install 
itself. 

1 2 

5 

3. 

Run the test script to verify that the tool is 
installed and that it has a status of 3 and a count 
of 1. 

A status of 3 shows that the tool is 
installed and the count of 1 shows 
that this is the first time the system 
has been booted since its installation. 

1, 2, 

5 


7.2 (S) Test 2 - Beaconing, File Transfer and Execution 

*Note: each of the below listed steps were done separately for Safari and for Firefox and 
the results were the same. 

(U) This test procedure tests requirements 6. 

(S) Setup steps:. 

f . Run the test script to ensure that the tool is installed and running. 

2. Ensure that the target machine’s clock is past the start date that was placed in the 
executable (i.e.... 3/22/2009). 


(S) Testing steps: 


Step 

Action 

Expected Result 

Req 

1 . 

Open the browser and begin surfing to a web 

Once the browser is opened and 

6 


page to activate the tool. Verify that each of the 

surfing begins the Macbook Air 



below occur. 

should beacon out to the LP and then 



a. Beaconing to the LP. 

receive its instructions which are to 



b. Execute a command from the LP. 

execute a command from the LP, get 



c. Place a files on the target and collect a files 

and put files, execute a command that 



from the target. 

resides on the target. 



d. Execute a file on the target. 

*Note: Files collected were MD5ed to 



e. Delay until browser activity. 

validate that they were the same. 



7.3 (S) Test 3 - Removal after pre-configured time 

(U) This test procedure tests requirement 3. 

(S) Setup Steps: 

f . Run the test script to ensure that the tool is installed and running. 

2. Ensure that the target machine’s clock is past the start date that was placed in the 
executable (ie... 3/22/2009). 
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(S) Testing steps 


Step 

Action 

Expected Result 

Req 

1 . 

Advance the clock more than 180 days from the 
current system time and reboot. 

DarkSeaSkies should be uninstalled. 

3 


7.4 (S) Test 4 - DarkSeaSkies Removal 

(U) This test procedure tests requirement 4. 

(S) Setup Steps: 

1. Run the test script to ensure that the tool is installed and running. 

2. Ensure that the target machine’s clock is past the start date that was placed in the 
executable (i.e.... 3/22/2009). 


(S) Testing steps: 


Step 

Action 

Expected Result 

Req 

1 . 

On the target set the nvram status variable to a 1 
and then reboot the machine. 

The nvram variable for status is: 

$(cat status.guid):$(cat status.name) 

Upon reboot the tool will be 
removed. 

6 

2. 

On the target set the nvram status variable to a 5 
and then reboot the machine. 

After rebooting the machine the tool 
will remove itself. 

6 

3. 

Power up the machine and then before it is 
finished booting hard power the system off. Do 
this 6 times in a row with no successful boots. 

After the sixth failed boot the tool 
will remove itself. 

6 

4. 

Cause a kernel panic by issuing the kwrite 
command and writing a zero to one of the 
following memory locations: 

0x5057d4 - for OSX 10.5.2 through 10.5.4 
0x5077d4 - for OSX 10.5.5 

Repeat this step three times. 

After the third kernel panic in a row 
the tool will remove itself. 

6 

5. 

Reduce the count limit to 2 by changing the 
nvram variable. 

$(cat warmng_threshold.guid):$(catwarning_threshold.name) 
Then reboot the machine and cause a kernel 
panic. 

After reboot the tool will remove 
itself. 

6 

6. 

Reduce the count limit to 1 by changing the 
nvram variable 

$(cat warning_threshold.guid):$(cat warning_threshold.name) 
Then reboot the machine and hard power off the 
machine while it is booting back up. 

This will cause the tool to remove 
itself. 

6 


8 (U) Test Report 

8.1 (U) Requirements Verification Matrix 

(U) The Requirements Verification Matrix in Table 8.1.1 displays six different letter keys 
to signify how well the tool meets the user requirement. The meaning of each letter key is 
shown below. 


Identifier 


Meaning 
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p 

The tool meets the requirement. 

I 

The tool meets the requirement but there is an issue. 

F 

The tool fails to meet the requirement. 

C 

The tool failed to meet the requirement for a specific configuration. 

n 

The requirement could not be tested. 

T 

The requirement was tested by other means. 


Table 8.1.1 (U) Requirements Verification Matrix Letter Keys 


Requirement Number 


O) 


C 

ai 

-a 


<u 

H 



1 

2 

3 

4 

5 

6 

7.1 

P 

P 



P 


7.2 







7.3 



P 



P 

7.4 




P 




Table 8.1.2 (U) Requirements Verification Matrix for Requirements 1-6 


8.2 (U) Findings 

(U) None 

8.3 (U) Observations 

8.3.1 (S) Install Time - From the target system powered of the tool can be installed in less 
than 29 seconds. It takes roughly 23 seconds to get to where you can choose the thumb 
drive as the boot device and 6 seconds for the tool to install and power off the machine. 

8.3.2 (S) Clock Considerations - If the target. . . 

• Advances his system clock by 180 days or more then the tool will uninstall. 

• Sets his system clock back by “x” amount of time, then the tool will not beacon for 
that “x” amount of time. 
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